Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Destover Malware Signed By Stolen Sony Certificate

Posted by Soulskill on from the everything-but-the-kitchen-sink dept.

Trailrunner7 writes: Researchers have discovered a new version of the Destover malware that was used in the recent Sony Pictures Entertainment breaches, and in an ironic twist, the sample is signed by a legitimate certificate stolen from Sony. The new sample is essentially identical to an earlier version of Destover that was not signed. Destover has been used in a variety of attacks in recent years and it's representative of the genre of malware that doesn't just compromise machines and steal data, but can destroy information as well. The attackers who have claimed credit for the attack on Sony have spent the last couple of weeks gradually releasing large amounts of information stolen in the breach, including unreleased movies, personal data of Sony employees and sensitive security information such as digital certificates and passwords. The new, signed version of Destover appears to have been compiled in July and was signed on Dec. 5, the day after Kaspersky Lab published an analysis of the known samples of the malware.

80 comments

  1. This whole Sony story by ruir · · Score: 5, Insightful

    gets better everytime. This is not news anymore, it is a damn mexican soap opera.

    1. Re:This whole Sony story by Anonymous Coward · · Score: 0

      Better yet, this is like a game of Android: Netrunner playing out in real life... pass the popcorn.

    2. Re:This whole Sony story by gstoddart · · Score: 1

      Well, maybe this will be a wakeup call for them.

      From the sounds of it Sony's overall approach to security was quite inadequate, and they've had several systems hacked over the last few years.

      Only now instead of customer data, they're getting hit where it hurts and might have to actually take this seriously.

      --
      Lost at C:>. Found at C.
    3. Re:This whole Sony story by Paradise+Pete · · Score: 1

      When this is all over somebody's going to win a Pulitzer Prize for an article laying out the whole saga.

    4. Re:This whole Sony story by NotDrWho · · Score: 2

      It's like my grandpa always used to say "Kid, you DO NOT fuck with the The HD-DVD Promotion Group!"

      --
      SJW's don't eliminate discrimination. They just expropriate it for themselves.
    5. Re:This whole Sony story by Anonymous Coward · · Score: 1

      You say that as though Sony's security practices are not normal for all Fortune 500 companies. There are probably a few shining examples of good behavior, but I haven't worked for a company in the last 15 years that cared to do more than the bare minimum. Even then it was only if they HAD to do it.

      Fact of the matter is we are seeing that there will always be someone out there with far more time and resources to test your systems security than you ever will. They are also likely much smarter than you because they don't have to deal with corporate bullshit politics and compromises in order to produce cost savings.

      We've just been naive to the fact that nothing is secure, never has been, and likely never will be.

    6. Re:This whole Sony story by Anonymous Coward · · Score: 0

      I agree with everything you say, apart from what has "Fortune 500" got to do with anything?

    7. Re:This whole Sony story by ShaunC · · Score: 2

      I think his point is that even billion-dollar enterprises, who can well afford to hire entire teams of information security and risk management professionals if they cared to do so, frequently don't bother. While IT in general is seen as a cost center and is often woefully underfunded, it at least exists, because management recognizes at some level that without employees to build and maintain that infrastructure, they wouldn't be able to check their email or load up their dashboards and revenue charts. Information security has no such tangible or visible benefit, and thus falls into the category of "why would we pay people for that?"

      The Sony case is interesting because this time around, unlike TJ Maxx, Target, Home Depot, et al it wasn't millions of faceless plebeian customers who got fucked over. No, this time the victim is the company itself. Nobody's going to fix this by issuing a boilerplate apology and offering victims a free year of useless credit monitoring service. The corporation is the one suffering (oh, the schadenfreude!); this actually scares enterprise management types, it's a threat that can be quantified. Sony's misfortune comes with the benefit that it's certainly cajoling a few other companies into taking a second look at their own security situations.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    8. Re:This whole Sony story by tlhIngan · · Score: 2

      You say that as though Sony's security practices are not normal for all Fortune 500 companies. There are probably a few shining examples of good behavior, but I haven't worked for a company in the last 15 years that cared to do more than the bare minimum. Even then it was only if they HAD to do it.

      One of the more famous hacks happened a few years ago, where hacks broke into one Sony website, then used the same vulnerability the next day to break into other Sony websites in another country. And repeated the same for several days.. Each day slurping up more data.

      It's one thing to have a vulnerability. It's another to not have it patched on all vulnerable sites.

    9. Re:This whole Sony story by cant_get_a_good_nick · · Score: 1

      I vote for Eric Estrada to play Ken Kutaragi.

      Dos Mujeres. Uno Carmageddon.

    10. Re:This whole Sony story by gstoddart · · Score: 0

      It's one thing to have a vulnerability. It's another to not have it patched on all vulnerable sites.

      Not that defending Sony is a habit I keep ...

      When you're talking about a company like Sony, which is really a zillion separate entities under one umbrella, I find it hard to believe Sony could have reacted so quickly as to lock down all other sites in one day.

      I'm betting no company that big is capable of responding that fast.

      I've worked for far smaller companies which had huge disconnects and delays between regional stuff. Something like Sony? I'm betting that's a monumental task, and that it's entirely separate divisions and people involved in the separate systems.

      --
      Lost at C:>. Found at C.
    11. Re:This whole Sony story by arth1 · · Score: 1

      When you're talking about a company like Sony, which is really a zillion separate entities under one umbrella, I find it hard to believe Sony could have reacted so quickly as to lock down all other sites in one day.

      I'm betting no company that big is capable of responding that fast.

      It depends on what kind of people they have hired. Those who actually take an interest and read underground news multiple times a day are more likely to have fixes in place long before the need is evaluated, determined and requested up and down the corporate chain.
      Even if it should break with policies to patch without permission, a halfway decent sysadmin would invoke emergency powers in cases like this, and do the paperwork later.

    12. Re:This whole Sony story by Anonymous Coward · · Score: 0

      The best thing that was ever said to me was "We're in the (non-IT-business), not the security business."

      Rings true when looking for profit. No one really gives two craps fully about security; most of it is security theater (shellshock? That got some attention. Still not patched fully.)

    13. Re:This whole Sony story by fustakrakich · · Score: 1

      Or this could be the ultimate honeypot... Sounds like a movie in the making... Everybody's breaking out the popcorn. Sony is selling the popcorn.

      --
      “He’s not deformed, he’s just drunk!”
    14. Re:This whole Sony story by Rich0 · · Score: 1

      When you're talking about a company like Sony, which is really a zillion separate entities under one umbrella, I find it hard to believe Sony could have reacted so quickly as to lock down all other sites in one day.

      I'm betting no company that big is capable of responding that fast.

      It depends on what kind of people they have hired. Those who actually take an interest and read underground news multiple times a day are more likely to have fixes in place long before the need is evaluated, determined and requested up and down the corporate chain.
      Even if it should break with policies to patch without permission, a halfway decent sysadmin would invoke emergency powers in cases like this, and do the paperwork later.

      Vulnerabilities come out every week. If you have to violate policy every week to keep up with them, then if the company wants to stick with the broken policy you're going to end up getting fired.

      A big principle in large companies is division of labor and responsibility. Nobody really feels like they own the whole thing, so nobody cares enough to stick their neck on the line. It is easier to just shrug your shoulders like everybody else when the big disaster happens. If you do work your heart out you at best won't get rewarded for it, and at worst will get penalized.

    15. Re:This whole Sony story by Rich0 · · Score: 1

      The best thing that was ever said to me was "We're in the (non-IT-business), not the security business."

      Rings true when looking for profit. No one really gives two craps fully about security; most of it is security theater (shellshock? That got some attention. Still not patched fully.)

      Yup. I once saw a movie (think mission impossible genre) where part of the movie involved breaking into a company in my industry to steal some kind of important data. It had the works - laser grids, armies of armed guards, etc. I was thinking that all they needed to do was get hired by the local cleaning company for $5/hr and MAYBE pick an office lock, but most likely just open up the filing cabinet with the data or walk out with a laptop. If they actually wanted to send in ninjas the local security would be lucky to notice, and if they did they'd just call the local police who I'm sure would dispatch both of their police cars sometime in the next 20 min.

      IT security is just as rigorous. Companies don't stay in business by hiring armies of guards/IT/etc.

    16. Re:This whole Sony story by Anonymous Coward · · Score: 0

      Well, maybe the Fortune 200 company I work at happens to be one of those shining examples, but I find it hard to imagine that most of them are as bad as Sony seems to have been.

      Sure, we probably have unknown vulnerabilities, but we keep things patched and firewalled and dmz'd (to the point where it's sometimes tough to get our own work done) and we have a ton of automated monitoring that will raise flags if (more like, when) something odd shows up in the (terabytes of) logs. Not saying we're bulletproof, just that we're not that bad.

    17. Re:This whole Sony story by Anonymous Coward · · Score: 0

      They're sure as hell not going to pull the movie with all this free press. They're going to make a lot of money.

  2. No difference by Anonymous Coward · · Score: 0

    So? Does this really mean anything for the consumer?
    It's not that Sony haven't used that certificate to sign malware before and it's not like I care if the malware is from Sony or some dude in Azerbaijan.

    1. Re:No difference by Golddess · · Score: 1

      It's not that Sony haven't used that certificate to sign malware before

      You are referring to the rootkit fiasco? Or something else?

      --
      "I'm not sure I like the fugnutish tone you used in your post!" -RogL (608926)-
  3. Here come the certificate flaw deniers....... by Anonymous Coward · · Score: 3, Interesting

    Anyone working in IT will have no doubt come across those who I refer to as the "Certificate Crazies".

    These are people who, when confronted with a security issue of some sort, immediately try to remedy it with certificates.

    They insist on using certs everywhere from ssh authentication to signing apps. If certificates can be used, even if it makes the work unnecessarily awkward or even if it doesn't actually help in any way, they will insist on using certificates.

    And then normal people work around the awkwardness that certificates often bring, rendering them irrelevant.

    In practice, a certificate is nothing more than a long password that's impossible for a normal human to memorize. So it ends up in a file somewhere, if not several "somewheres", where it can be easily stolen. Unlike the password in somebody's head or even on a sticky note behind the monitor, these certificate files can often be stolen remotely!

    Meanwhile, the "Certificate Crazies" deny that this is a problem, even when confronted with stolen certificates that have been misused!

    After railing against passwords for so long, how they do these "Certificate Crazies" often suggest getting around problems with stolen certificates? Why, they recommend using a short, human-friendly password that's needed in order to use the certs!

    These people are a joke.

    1. Re:Here come the certificate flaw deniers....... by coniferous · · Score: 1

      What exactly is your point here? That certificates are worthless and shouldn't be used? (They aren't) That they are overused? (possibly). What's the alternative here anyways? two factor auth? I mean, I'm trying hard to find value in your post, but I'm not getting a lot of good points out of it. People misuse certs for sure, but that doesn't mean that as an authentication mechanism that they are useless.

    2. Re:Here come the certificate flaw deniers....... by jones_supa · · Score: 1

      How does signing executables work under Windows? I mean, some small company, let's say "John Doe Software" probably does not have its certificate verified down to the root level. Wouldn't this mean that anyone can create an executable with a certificate that says "John Doe Software"? Then I wouldn't know which one is authentic. Have I misunderstood something?

    3. Re:Here come the certificate flaw deniers....... by Anonymous Coward · · Score: 0

      Exactly. I always use good, old passwords with ssh instead of stupid public/private key pairs!

    4. Re:Here come the certificate flaw deniers....... by 0123456 · · Score: 1

      I mean, some small company, let's say "John Doe Software" probably does not have its certificate verified down to the root level.

      Uh, yes, it does, otherwise it would be useless. But any CA can sign a certificate for that company, so it's as strong as the least secure CA.

    5. Re:Here come the certificate flaw deniers....... by blackpaw · · Score: 3, Informative

      I work for a small company that signs its code - pretty much required if you want to install in any enterprise these days.

      Its a certificate chain - we purchase a cert from a provider such as Verisign. They request basic proof of identity - business registration, contact number etc. They create a cert for us signed by them. Their cert is signed by Microsoft.

      We sign our app with our cert - anyone accessing the binary signed by us can verify it hasn't been alterated and our cert was signed by Verisign, which was signed by Microsoft.

      Note that all this provides is proof that the exe was created by us. It in no way guareentees that we aren't distributing our own malware etc. But what it does provide is a way of tracing a exe back to the signer.

    6. Re:Here come the certificate flaw deniers....... by MouseR · · Score: 2

      Your certificate is authenticated by checking against it's parent certificate authority. That parent also has a parent. Rinse and repeat until you reach one of the top certificate authorities. There are seven of those (or just about?).

      For as long as the parents are valid and your certificate is valid, then it's considered signed.

      VeriSign, a top certificate authority back in 2001, had made the news because it's DB got compromised. All certificates underneath where disabled and the whole tree had to be re-created. Symantec bought VeriSign since.

    7. Re:Here come the certificate flaw deniers....... by Anonymous Coward · · Score: 0

      > A bunch of deranged rambling about "Certificate Crazies"

      >These people are a joke.

      You're projecting, and need to get some psychiatric help ASAP.

    8. Re:Here come the certificate flaw deniers....... by omnichad · · Score: 1

      You're confusing authentication with identify verification.

    9. Re:Here come the certificate flaw deniers....... by Alioth · · Score: 1

      Signing certificates are normally encrypted. Stealing the file will do no good unless you know the decryption passphrase. For example, to get a package into our local debian repository such that it can install/upgrade in our production environment, you'd not only need the gpg signing keys, but the 60+ character passphrase (which is NOT written down) to go with it.

      --
      Oolite: Elite-like game. For Mac, Linux and Windows
    10. Re:Here come the certificate flaw deniers....... by IamTheRealMike · · Score: 3, Informative

      In practice, a certificate is nothing more than a long password

      Fail. A certificate contains a public key. This is nothing like a password. You're thinking of a private key. The whole point of a certificate is that you can prove your identity to someone without sending them your password.

      Unlike the password in somebody's head or even on a sticky note behind the monitor, these certificate files can often be stolen remotely!

      Double fail. Firstly, nobody actually steals certificates. Certificates are public. When someone says something was signed with a "stolen cert", what they actually mean is "stolen private key the public part of which is contained in a certificate signed by a trusted third party", but that's a mouthful, so we simply and say "stolen cert".

      Secondly, private keys can and absolutely should be protected with a password! Or they can be kept in special hardware. However, as you may have noticed, Sony got pwned pretty hard so presumably whatever private key was stolen either had no password, or they were able to just keylog the password when it was used.

      These people are a joke.

      The joke is on you ..... certificates are not a replacement for passwords and if you think they are, you didn't understand what they're used for.

    11. Re:Here come the certificate flaw deniers....... by Smerta · · Score: 3, Informative

      First of all, kudos to your small shop for actually signing your executables. I still find myself needing to install software from companies ($100M+ companies) that don't sign their executables (IAR Systems (ARM cross compiler), I'm looking at you, for example...)

      Anyway, I just wanted to clarify one thing that you wrote, because a lot of people don't understand the security implications:

      Note that all this provides is proof that the exe was created by us

      Technically, all this provides is proof that the exe was created by someone who has your private signing key. That's exactly what's going on here with Sony. The whole signing / certificate thing works, right up to the point where the signing key is leaked or extracted. I know you know this, but it's important enough IMO that it merits re-stating...

    12. Re:Here come the certificate flaw deniers....... by benjymouse · · Score: 1

      In practice, a certificate is nothing more than a long password that's impossible for a normal human to memorize. So it ends up in a file somewhere, if not several "somewheres", where it can be easily stolen.

      If certificates are used correctly they are stored in some kind of certificate store where they cannot just be "stolen".

      In the Windows certificate store, when you import a certificate, the default is to set the key to "non exportable". Non exportable means that you'll never get the key from that store - at least not from your user context (given that it is stored encrypted but on the local disk, an "root" user with access to physical disk sectors could theoretically reconstruct the key - but not without running with severely elevated privileges).

      You can still use the certificate to sign with - but you'll need to go through the crypto api which asks the certificate store to perform the signing without giving the private key away. This works even if the key is held in a connected hardware secure module (HSM) which will add more guarantee that private keys *never* leave the device.

      For better security you *should* use the cert store to generate the non-exportable private key to begin with. It can still be signed by an external entity like Verisign - even without the private key ever leaving the secured store.

      There is no excuse for having the private key stolen. The private key of a certificate used to sign software/drivers from a corporation like Sony should *definitively* have been created by a HSM and there should be guarantee that the key never leaves that HSM. There are well known products which will still allow you to load-balance HSMs, synchronize and take backups where the key will only ever leave the box in an encrypted container that will only be understood by a box that have been paired with the originating HSM/cert store.

      --
      Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
    13. Re:Here come the certificate flaw deniers....... by jbengt · · Score: 1

      No matter how hard you try to fail-safe the use of software made by someone other than yourself, the entire thing boils down to trust of the user in the vendor, anyway.
      The problem exists that this entire chain depends on trust in each and every one of the links, and if any one of them becomes compromised, (or even compromise themselves on purpose - NSA?), it becomes a trusted attack vector.

    14. Re:Here come the certificate flaw deniers....... by ledow · · Score: 2

      Is this not why we have CRL's, though?

      You can't guarantee your key won't be stolen and used to sign malware. But you can say that you'll revoke it when that's the case, and re-sign your official software with the new key.

      Sure, it's a pain, and I don't know if Sony have done this - but the facility is there for the original owner to say "Actually, no, that's no longer a trusted cert... here, have this one instead".

    15. Re:Here come the certificate flaw deniers....... by Anonymous Coward · · Score: 0

      And someone swipes your cert, and then they can sign anything they want with it.

      Fundamentally broken.

      AC

    16. Re:Here come the certificate flaw deniers....... by PIBM · · Score: 1

      You just removed more than 375 bits of entropy of your pass phrase!

    17. Re: Here come the certificate flaw deniers....... by Anonymous Coward · · Score: 0

      The moment your security technology depends so heavily on "being used correctly" it should already be considered broken.

    18. Re:Here come the certificate flaw deniers....... by Carewolf · · Score: 1

      I work for a small company that signs its code - pretty much required if you want to install in any enterprise these days.

      Its a certificate chain - we purchase a cert from a provider such as Verisign. They request basic proof of identity - business registration, contact number etc. They create a cert for us signed by them. Their cert is signed by Microsoft.

      We sign our app with our cert - anyone accessing the binary signed by us can verify it hasn't been alterated and our cert was signed by Verisign, which was signed by Microsoft.

      Note that all this provides is proof that the exe was created by us. It in no way guareentees that we aren't distributing our own malware etc. But what it does provide is a way of tracing a exe back to the signer.

      Not if verisign or microsoft was compromised and new fake certificates was signed with the compromised master keys. Like the case with Sony here.

    19. Re:Here come the certificate flaw deniers....... by sjames · · Score: 1

      More that some people think certs are magic. They figure "just use a cert" and all is well without a single thought to setting up or maintaining an internal CA and properly securing the signing keys.

      That and somehow thinking that identities in run of the mill certs are somehow incontrovertible facts rather than understanding that the identity is no stronger than the verification procedures of the weakest trusted CA.

      My personal complaint about them is the screwy storage formats for the things.

    20. Re:Here come the certificate flaw deniers....... by hey! · · Score: 1

      In practice, a certificate is nothing more than a long password that's impossible for a normal human to memorize. So it ends up in a file somewhere,

      In other words you have no idea how they work, and you deal with that by calling people who advocate them "crazy".

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    21. Re:Here come the certificate flaw deniers....... by arth1 · · Score: 1

      Fail. A certificate contains a public key. This is nothing like a password. You're thinking of a private key. The whole point of a certificate is that you can prove your identity to someone without sending them your password.

      I see what you're trying to tell him, but you make it sound like there is a technical difference between private and public keys.
      They are really just two keys of a key pair, and anything locked with one can only be unlocked by the other. Which one is named "private" and which one is named "public" does not really make a technical difference.
      It's customary to have the shorter of the two keys be designated the public key, and also common to store a copy of the public key with the private key for convenience, so it can be extracted on need. But that's not a technical difference.

      A certificate is just a piece of data signed with a private key.
      A key chain is just a bunch of public keys with certificates, one of which you're supposed to trust, and then you let that trust be inherited to anything below it. Inherited trust has always had its flaws, and signing does not change this. Just because you trust Anna and Anna vouches for Bridget, doesn't mean you should trust whoever Bridget vouches for, and whoever those in turn vouches for. That's like betting that friends of friends of friends will always be good people (or even who they claim to be).

    22. Re: Here come the certificate flaw deniers....... by Anonymous Coward · · Score: 0

      You sound like one of the people that the GP is talking about. A private key really isn't that different from a password. Both rely on obscurity in order to be effective, from a security standpoint. The actual data is irrelevant.

    23. Re:Here come the certificate flaw deniers....... by Anonymous Coward · · Score: 0

      Which one is named "private" and which one is named "public" does not really make a technical difference.

      A private key can be used to generate a public key. A public key can NOT be used to generate a private key. The reason why the private key is called "private" is that your security BREAKS COMPLETELY if it is published in any way. That is a significant "technical difference" in my opinion.

      A certificate is just a piece of data signed with a private key.

      Not _just_ data. Among other things, it contains the public key. There is a difference between a public key and arbitrary data.

      Inherited trust has always had its flaws, and signing does not change this.

      I agree.

    24. Re: Here come the certificate flaw deniers....... by Anonymous Coward · · Score: 0

      I can see why the GP called people like you "crazy". You employ excessive pedantry, and intentionally misunderstand what was said, in an attempt to put up a feeble defense of the untenable position you hold. Your comment actually proves the GP to be correct. It's better evidence than anything the GP could have provided.

    25. Re:Here come the certificate flaw deniers....... by Anonymous Coward · · Score: 0

      On certs security, my company takes our cert security very seriously. All certs are stored on air gaped computers and media. Being a small company only the owner has the pass phrase. But he has the phrase stored in a lock box at our storage locker.

    26. Re: Here come the certificate flaw deniers....... by hey! · · Score: 1

      It's really quite different from a password. And you don't know the meaning of "security through obscurity", either. All cryptographic systems rely upon secrets; a well designed one relies upon a single secret that is impractical to guess. Security through obscurity is relying upon a number of weak secrets, like the methods you are using.

      You need to read up on public key cryptography. There's a huge difference between a certificate and a shared password.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    27. Re:Here come the certificate flaw deniers....... by Rich0 · · Score: 1

      I mean, some small company, let's say "John Doe Software" probably does not have its certificate verified down to the root level.

      Uh, yes, it does, otherwise it would be useless. But any CA can sign a certificate for that company, so it's as strong as the least secure CA.

      Or the least principled one. You have to trust every CA in every country on the planet. If you're a US defense contractor should you be trusting some Chinese CA? If you're a Chinese defense contractor, should you be trusting Verisign? The SSL trust model is a joke.

    28. Re:Here come the certificate flaw deniers....... by Anonymous Coward · · Score: 0

      And someone swipes your cert, and then they can sign anything they want with it.

      Fundamentally broken.

      AC

      It is fundamentally broken in the same way a condom is, because it is not 100% safe. Real life security is about layers of protection, and certs certainly help add to the level of security. And if you do get a program signed with a rouge cert, it should be caught by your malware scanners, and if not the vulnerabilities it tries to exploit should be patched by your patch & remediation system (something like 90% of successful real world breaches could be prevented just by that alone) or the activity it creates should be caught by your intrusion detection/prevention systems.

    29. Re:Here come the certificate flaw deniers....... by Anonymous Coward · · Score: 0

      Actually a private key cannot be used to create a public key. Now there are some private key file formats which contain both the private and public key, so it may seem like a private key can generate a public key.

      Both the private key and the public key are generated as a pair. Both keys can be used to encrypt something, and the other key is the only way to decrypt that something.

      Signing is encrypting the md5/sha value of a document.

    30. Re:Here come the certificate flaw deniers....... by arth1 · · Score: 1

      A private key can be used to generate a public key.

      No, it cannot. You probably think it does because of files that save both the private key and public key in the same file, like your typical .ssh/id_dsa file does.

      A certificate is just a piece of data signed with a private key.

      Not _just_ data. Among other things, it contains the public key.

      A cert does not have to include the public key. It is often included for convenience, but it is enough that it contains a signature for the key and description on how to get it.
      For large keys, or repeated traffic, including a short URI can be far more bandwidth friendly and time saving than including it - if the recipient already has the key, it does then not need to be re-sent.

  4. Why is the signing useful by jones_supa · · Score: 1

    What benefit does the attacker get by signing the malware with a company's certificate?

    1. Re:Why is the signing useful by Anonymous Coward · · Score: 1

      Well for a start all the chumps who have computers/devices that auto-approve certificates by Sony are now compromised without even knowing it.

    2. Re:Why is the signing useful by slaker · · Score: 1

      So... people who play Everquest or own off-brand prosumer content creation software?

      --
      -- I wanna decide who lives and who dies - Crow T. Robot, MST3K
    3. Re:Why is the signing useful by Anonymous Coward · · Score: 0

      What benefit does the attacker get by signing the malware with a company's certificate?

      Pa\/\/n of N00bs.

    4. Re:Why is the signing useful by geogob · · Score: 3, Informative

      The aim of signing is to ensure users that the software their install is authentic (and assumed to be safe). Most users will blindly thrust non-signed software and drivers... almost no user will suspect a signed package. That already something.

      Furthermore, it also adds a bit to the drama of the whole story. For the hackers it's a bit like sitting on the throne with the crown on their head after having killed the king. The obviously like to humiliate their pray, and to that effect compromising their certificates in this way is wonderfully effective.

    5. Re:Why is the signing useful by jones_supa · · Score: 1

      Well for a start all the chumps who have computers/devices that auto-approve certificates by Sony are now compromised without even knowing it.

      So their devices automatically run all software from Sony? Can you give an example how they would get compromised without knowing it?

    6. Re:Why is the signing useful by Anonymous Coward · · Score: 0

      Sony does a bit more than that. Cameras, memory cards, televisions, gaming devices, the VAIO computer line, etc.

    7. Re:Why is the signing useful by Charliemopps · · Score: 1

      What benefit does the attacker get by signing the malware with a company's certificate?

      Last time a popup came up for a security cert and you clicked "Accept" did you notice that checkbox "Always trust this source" or something like that?

      That's why. If anyone can now claim their Sony, there are a lot of people that will not even get a warning and their computer/browser/whatever will just implicitly trust the cert.

    8. Re:Why is the signing useful by gstoddart · · Score: 1

      So their devices automatically run all software from Sony? Can you give an example how they would get compromised without knowing it?

      Well, just off the top of my head ... the Playstations probably use the signatures ... and Sony makes Vaio laptops ... they make Smart TVs.

      So, if you can target any of that stuff, it could be pretty easy. I'm not a security guy, but once the certificate is compromised you can start from there.

      Hell, send them a malicious URL which direct them to a system you control and tell them they need a critical security update.

      I always get the impression that once you can sign stuff with someone else's certificate, the real fun begins.

      --
      Lost at C:>. Found at C.
    9. Re:Why is the signing useful by mrchaotica · · Score: 1

      Well, just off the top of my head ... the Playstations probably use the signatures

      I'm looking forward to next week's headline: "Massive PS4 Botnet Discovered."

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    10. Re:Why is the signing useful by CronoCloud · · Score: 1

      Well, just off the top of my head ... the Playstations probably use the signatures ... and Sony makes Vaio laptops ...

      SOE and SCEfoo are different branches. They use separate logins and separate backends. SCEfoo wasn't affected by some SOE troubles and vice versa.

    11. Re:Why is the signing useful by CronoCloud · · Score: 1

      Unlikely, Sony's branches are independent. if it was Sony pictures, probably a Sony Pictures related certifcate. As an example, SCEfoo (Playstation Sony) wasn't affected by some SOE (Sony's PC game division) troubles some time back, and SOE wasn't affected by that big PSN breach. SOE and SCEfoo have separate logins and infrastructures.

    12. Re:Why is the signing useful by benjymouse · · Score: 2

      What benefit does the attacker get by signing the malware with a company's certificate?

      Windows has a mechanism where kernel-mode drivers must be signed. For certain mandatory, early-load drivers (e.g. anti-malware tools, measured boot tools) the drivers must be signed by Microsoft. But Windows allows other kernel-mode drivers to be loaded as long as they are signed using a valid, non-revoked code-signing cert from (IIRC) Verisign.

      Kernel-mode drivers can obviously access memory in kernel-mode. This is a common way for malware to take foothold on a Windows machine. It is really hard to ensure that Malware is executed during boot otherwise.

      Expect this certificate to be revoked in near future. This will close that avenue, and cause all machines infected drivers signed by the cert to refuse to load the malware driver.

      --
      Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
    13. Re:Why is the signing useful by Anonymous Coward · · Score: 0

      Well, looking at it the other way, can Sony prove that it wasn't them who signed the malware? (after all, certificates are supposed to establish such identity---so we should hold them accountable for aiding the distribution of this walware, since they obviously signed it).

      (if the situation was reversed, and it was sony going after someone, that's exactly the argument they'd use.... after all, according to them, an IP address is enough to identify an individual.... but a digital signature isn't?)

    14. Re:Why is the signing useful by Blue+Stone · · Score: 1

      If true ... fuuuuuuuu .... My SONY TV just updated about an hour ago.

      Um ...

      Should I be worried? [Serious answers only, plz]

      --
      Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
    15. Re:Why is the signing useful by aiht · · Score: 1

      Expect this certificate to be revoked in near future. This will close that avenue, and cause all machines infected drivers signed by the cert to refuse to load the malware driver.

      And cause all machines with legitimate Sony drivers (if there is such a thing?) signed with the same cert to refuse to load those too.

    16. Re:Why is the signing useful by benjymouse · · Score: 1

      Expect this certificate to be revoked in near future. This will close that avenue, and cause all machines infected drivers signed by the cert to refuse to load the malware driver.

      And cause all machines with legitimate Sony drivers (if there is such a thing?) signed with the same cert to refuse to load those too.

      Unfortunately, yes. Sony will have to re-issue those legitimate drivers and sign them with a new cert. That is actually a good reason why a code signing certificate for widely distributed software absolutely should reside within a HSM, which will make the private key impossible to steal.

      --
      Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
  5. "No Buy" list by Anonymous Coward · · Score: 0

    Good that Sony is in many people's "No Buy" list: this way the malware can't do much harm, right?

    (Captcha was "viruses". Creepy, huh?)

    1. Re:"No Buy" list by Anonymous Coward · · Score: 0

      This certificate has been used to spread malware for years. That someone else than Sony uses it for that purpose doesn't matter to the victim.

  6. Oh great, now I can't trust Sony by NotDrWho · · Score: 4, Funny

    Just yesterday, they were the bastion of trustworthy software. Now this!

    --
    SJW's don't eliminate discrimination. They just expropriate it for themselves.
    1. Re:Oh great, now I can't trust Sony by Anonymous Coward · · Score: 0

      Really? Apparently you missed http://www.businessweek.com/stories/2005-11-21/sonys-escalating-spyware-fiasco

  7. Malware compromising machines? by lippydude · · Score: 2

    Systems Affected: Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP ..

  8. Oldie but goody by Anonymous Coward · · Score: 0

    http://www.thebestpageintheuniverse.net/c.cgi?u=sony_bullshit

  9. Here come the certificate flaw deniers....... by Anonymous Coward · · Score: 0

    If we are talking about those who would use certificates and trust verisign/thawte/etc, I agree with your sentiment. In practice, that actually is how the cards are stacked (particualrly with microsoft's library, which doesn't make it easy to do otherwise).

    Certificates are not so bad if you apply it more precisely, so that certain subsystems are highly selective about trusting CAs that are pertinent only to that subsytem. For example, a company having an internal CA should not trust other CAs for internal use. By the same token, that CA should have constraints such that it won't be trusted to sign thinks like bank domains.

    Of course you are saying about user authentication, which is a trickier thing, while this article and I are talking about code and server certificates. User authentication is a lot more subjective since it relies as much upon human behavior as anything without much recourse to train it out.

  10. Why wasn't this already revoked? by medv4380 · · Score: 1

    The scale of the Sony hack should have prompted the System admin to revoke any, and all certs that had the slightest possibility of being compromised. You can't keep the hackers out of your new fixed system if you still honor the certs they stole.

    1. Re:Why wasn't this already revoked? by jandrese · · Score: 1

      Because CRLs suck and using them is a last resort. Plus, Sony has to re-issue the certs first or it will break existing consumer equipment. There is a chicken and egg problem where you want to push down the new certs securely before you invalidate the old ones, otherwise the consumers will get a warning about an improperly signed server trying to mess with the security on their machine.

      Or they have to wait for some third party (Windows Update for instance) to push it out, which takes time.

      --

      I read the internet for the articles.
  11. Whew!!! by CaptainDork · · Score: 1

    Windows 3.1 is not listed.

    --
    It little behooves the best of us to comment on the rest of us.
  12. Apparently not. by Anonymous Coward · · Score: 4, Informative

    From ISC SANS

    "Update: Turns out that the malware sample that Kaspersky was reporting on was not actual malware from a real incident. But the story isn't quite "harmless" and the certificate should still be considered compromised. A researcher found the certificate as part of the SONY data that was widely distributed by the attackers. The filename for the certificate was also the password for the private key. The researcher then created a signed copy of an existing malware sample retrieved from Malwr, and uploaded it to Virustotal to alert security companies. Kaspersky analyzed the sample, and published the results, not realizing that this was not an "in the wild" sample. [1] The certificate has been added to respective CRLs."

  13. Not the first by Myria · · Score: 1

    Well, it wouldn't be the first Sony-signed rootkit...

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager